Re: sweet32 and ssl-enum-ciphers question

[Daniel Miller <bonsaiviking () gmail com>]

Todd,

The "+" forces the script to run on every discovered open port regardless
of whether it is a "likely SSL" port or not. The default behavior is to
only run on known SSL or STARTTLS ports (3389 is included in this list).
The generally-accepted way to run the script against discovered services on
unusual ports is to add -sV to perform service and application version
detection. This way, the script can match not only on the port number but
also on the service name or the detected ssl tunnel. Using "+" is slightly
faster in the single-port known-service case, but can produce a lot of
useless traffic if you are scanning many ports, since most of them will not
be SSL.

Dan

On Tue, Jan 31, 2017 at 12:29 AM, ToddAndMargo <ToddAndMargo () zoho com>
wrote:

> On 01/30/2017 10:09 PM, ToddAndMargo wrote:
>
> > On 01/30/2017 11:12 AM, ToddAndMargo wrote:
> >
> > > Hi All,
> > >
> > > I have a customer that got tagged with sweet32 on his PCI (credit
> > > card security) external scan.  He is using RDP on a couple
> > > of his workstations so he can log in from home and I do believe
> > > the issue is that he hasn't done his Windows 7 updates
> > > in about two years.  I will fix.
> > >
> > > Anyway, I am on nmap 7.40.  Reading over at:
> > >
> > > https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
> > >
> > > It shows a bunch of this stuff:
> > >
> > >       Example Usage
> > >
> > >       nmap --script ssl-enum-ciphers -p 443 <host>
> > >       Script Output
> > >       PORT STATE SERVICE REASON 443/tcp open https syn-ack
> > >
> > >       | ssl-enum-ciphers:
> > >       |   TLSv1.0:
> > >       |     ciphers:
> > >       |       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> > >       |       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> > >
> > > and on and so forth
> > >
> > > My intention is to use NMap to identify the sweet32 vulnerability
> > > and to then use NMap again to verify I have solved the issue.
> > >
> > > I am specifically looking for the "3DES" entry associated with
> > > sweet32.
> > >
> > > When I run this probe, I do not get any of the this stuff.
> > > I do get stuff back, but not the list with all the ciphers.
> > >
> > > This is what I ran:
> > >
> > > nmap -p xxxx,yyyy -v --script ssl-enum-ciphers www.xxx.yyy.zzz
> > >
> > > Am I missing something here?
> > >
> > >
> > > Many thanks,
> > > -T
> > By chance, if the port(s) are closed properly, would I
> > not see the "ssl-enum-ciphers" report that shows
> > on https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
> > as the script could find anything?
>
> This script "--script +ssl-enum-ciphers" found
>
>       64-bit block cipher 3DES vulnerable to SWEET32 attack
>
> So now I can reproduce.
>
> What did the "+" sign do to make the difference?
>
>
> Many thanks,
> -T
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Serious error.
> All shortcuts have disappeared.
> Screen. Mind. Both are blank.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/